4 Answers
4

Google can read the contents of the emails stored in GMail. That's explicit: they officially scan the email contents, see this FAQ, specifically the question "Is Google reading my mail?":

No, but automatic scanning and filtering technology is at the heart of Gmail. Gmail scans and processes all messages using fully automated systems in order to do useful and innovative stuff like filter spam, detect viruses and malware, show relevant ads, and develop and deliver new features across your Google experience. Priority Inbox, spell checking, forwarding, auto-responding, automatic saving and sorting, and converting URLs to clickable links are just a few of the many features that use this kind of automatic processing.

(This answer can be summed up as: "no, we do not read your emails, except that we totally do read them, but, trust us, that's for your own good".)

So if Google can read the emails, any attacker gaining control of the Google servers obtains, by definition, the same kind of power, i.e. he can read the emails, too.

Now there may be details about storage: possibly, the database contents might be encrypted with a key known by some other Google servers, so that an attacker gaining access to the database only, but not the other servers, would still be locked out of the email contents. This is not very probable, though: there is some non-negligible overhead (a little extra encryption cost, and, more importantly, the inability to perform the most expensive scan&match methods directly on the database machines themselves). So such database "encryption" is normally done only when you do not trust the database provider (but Google is big enough to be its own database provider) or when the data is very sensitive (e.g. passwords). My guess is that emails are stored as cleartext on whatever machines do the storage at Google's.

(Usual wisdom is that email contents are much more at risk during transit than when stored by a competent, security-aware provider. For much better email protection, use GnuPG with your correspondents; this will protect emails both in transit and when stored. GnuPG interaction with GMail's Web interface appears to be tricky, but GMail is also an IMAP provider that you can use with a classical mail client software.)

The question is a bit too simplistic, it would be wrong to assume that (for example) everyone's gmail e-mails are just in one massive database table.

However, if someone were to compromise the system storing your emails then by definition the only thing stopping them from reading said emails would be encryption. The e-mails could either be encrypted by your private password (unlikely as e-mail providers have to comply with requests for access to these emails) or a key stored elsewhere. So then the attacker would additionally need to compromise the system storing that key.

One would also assume that gmail also have intrusion detection systems in place, meaning that were an attacker to compromise their email storage systems an alarm would be triggered and they would be soon shut out.

The reality of it is that if someone wants to read your e-mail it's probably a lot easier for them to guess (or otherwise obtain) your password.

Good point about other avenues of attack: if you want to get money illegally, you can mug pedestrians in dark alleys or attack Fort Knox - one is far easier, the other has a far greater yield.
–
PiskvorJan 25 '12 at 13:43

It is possible (though unlikely) for Google to encrypt the content of emails in the database, and decrypt them on the fly. As long as the hacker don't have access to the source code that contains the encryption keys, the content of the email remains encrypted in the database and unreadable to the hacker.

If the content of the email is stored in plaintext in the database, then yes there's nothing stopping the hacker from reading them.

You could store mails in encrypted form in the inbox. Meaning all received mail are put through scripts and encrypted(PGP/SMIME) to yourself. Then during synchronization you pull the mails and upload their encrypted version, and on every email you open your client has to decrypt the content. The corresponding passphrase can be cached of course, and you can use a different key pair for explicitly signing/encrypting email communication with other users, to reduce its exposure.